This of course will only work for traffic that is traversing that uplink. If you have wireless users who's traffic terminates on that controller, it does not traverse that link, so you would have to block their traffic via user role.